diff options
author | niko.mauno@vaisala.com <niko.mauno@vaisala.com> | 2020-09-10 16:17:50 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2020-09-12 08:55:28 -0700 |
commit | 4cf81a584773c9e946595ded9193723ebd6425e0 (patch) | |
tree | be2e9bac79f2b83865f86e474e22bf13c6ccbc1f | |
parent | fd23d5256513cdf6641d8dd421a5c75a9b78b7d9 (diff) | |
download | meta-security-4cf81a584773c9e946595ded9193723ebd6425e0.tar.gz |
dm-verity-image-initramfs: Ensure verity hash sync
In order to ensure that the bundled initramfs always contains the most
recently generated DM_VERITY_IMAGE specific root filesystems' root hash,
we disable the timestamp for do_rootfs() task here, meaning that the
task will be re-executed whenever some task that depends on it executes.
Without this change, executing e.g. the following sequence
$ bitbake <DM_VERITY_IMAGE>
$ bitbake -c clean <DM_VERITY_IMAGE>
$ bitbake <DM_VERITY_IMAGE>
results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like
Mounting /dev/vda over dm-verity as the root filesystem
[ 8.729974] device-mapper: verity: sha256 using implementation sha256-generic
[ 8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read
Verity device detected corruption after activation.
[ 8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read
...
[ 9.135707] EXT4-fs (dm-0): unable to read superblock
[ 9.142897] EXT4-fs (dm-0): unable to read superblock
[ 9.145393] EXT4-fs (dm-0): unable to read superblock
[ 9.147905] FAT-fs (dm-0): unable to read boot sector
mount: /new_root: can't read superblock on /dev/mapper/rootfs.
BusyBox v1.32.0 () multi-call binary.
Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS]
[ 9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
[ 9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1
[ 9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
...
[ 9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]---
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | recipes-core/images/dm-verity-image-initramfs.bb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb index f9ea376..60e9892 100644 --- a/recipes-core/images/dm-verity-image-initramfs.bb +++ b/recipes-core/images/dm-verity-image-initramfs.bb | |||
@@ -16,6 +16,9 @@ PACKAGE_INSTALL = " \ | |||
16 | # Can we somehow inspect reverse dependencies to avoid these variables? | 16 | # Can we somehow inspect reverse dependencies to avoid these variables? |
17 | do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" | 17 | do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" |
18 | 18 | ||
19 | # Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE | ||
20 | do_rootfs[nostamp] = "1" | ||
21 | |||
19 | IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" | 22 | IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" |
20 | 23 | ||
21 | inherit core-image | 24 | inherit core-image |